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Abstract.  We  start  from  a  basic  and  fruitful  idea  in  current  work  on 
the  formal  analysis  and  verification  of  hybrid  and  real-time  systems:  the 
uniform  representation  of  both  sorts  of  state  dynamics  -  both  contin¬ 
uous  evolution  within  a  control  mode,  and  the  effect  of  discrete  jumps 
between  control  modes  -  as  abstract  transition  relations  over  a  hybrid 
space  X  CQ  x  Rn,  where  Q  is  a  finite  set  of  control  modes.  The  result¬ 
ing  “machine”  or  transition  system  model  is  currently  analyzed  using  the 
resources  of  concurrent  and  reactive  systems  theory  and  temporal  logic 
verification,  abstracted  from  their  original  setting  of  finite  state  spaces 
and  purely  discrete  transitions.  One  such  resource  is  the  propositional 
p- calculus:  a  richly  expressive  formal  logic  of  transition  system  mod¬ 
els  (of  arbitrary  cardinality),  which  subsumes  virtually  all  temporal  and 
modal  logics.  The  key  move  here  is  to  view  the  transition  system  models 
of  hybrid  automata  not  merely  as  some  form  of  “discrete  abstraction” , 
but  rather  as  a  skeleton  which  can  be  fleshed  out  by  imbuing  the  state 
space  with  topological ,  metric  tolerance  or  other  structure.  Drawing  on 
the  resources  of  modal  logics,  we  give  explicit  symbolic  representation 
to  such  structure  in  poly  modal  logics  extending  the  modal  p-calculus. 
The  result  is  a  logical  formalism  in  which  we  can  directly  and  simply 
express  continuity  properties  of  transition  relations  and  metric  tolerance 
properties  such  as  “being  within  distance  e”  of  a  set.  Moreover,  the  log¬ 
ics  have  sound  and  complete  deductive  proof  systems,  so  assumptions 
of  continuity  or  tolerance  can  be  used  as  hypotheses  in  deductive  veri¬ 
fication.  By  also  viewing  transition  relations  in  their  equivalent  form  as 
set-valued  functions,  and  drawing  on  the  resources  of  set- valued  analysis 
and  dynamical  systems  theory,  we  open  the  way  to  a  richer  formal  anal¬ 
ysis  of  robustness  and  stability  for  hybrid  automata  and  related  classes 
of  systems. 


1  Introduction 

It  is  hardly  controversial  to  claim  that  the  p- calculus  is  a  formal  logic  of  central 
import  for  the  analysis  and  verification  of  hybrid  automata  and  related  classes  of 
systems.  The  fundamental  concepts  of  reachability  and  invariance  are  expressible 
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in  terms  of  fixed-points  of  operators  mapping  sets  of  states  to  sets  of  states,  and 
are  thus  definable  in  the  language  of  the  ^-calculus.  The  iterative  computation 
of  the  denotation  of  such  fixed  point  formulas  lies  at  the  heart  of  symbolic  model 
checking  tools  for  hybrid  and  real-time  systems  such  as  HyTech  [4],  [19]  and 
Kronos  [13].  More  generally,  the  propositional  //-calculus  is  well-recognized  as  a 
richly  expressive  logic  over  transition  system  models:  the  power  of  its  fixed-point 
quantifiers  are  such  that  it  subsumes  virtually  all  temporal,  modal  and  dynamic 
logics  [15],  [25]. 

However,  the  current  practice,  within  the  allied  field  of  automated  verification 
of  (discrete)  reactive  systems  as  well  as  within  the  hybrid  systems  community,  is 
to  consider  the  //-calculus  not  as  a  working  or  usable  logic  but  rather  as  a  logic 
of  the  substratum.  It  provides  a  common  “machine”  language  and  semantics 
for  verification  by  model  checking,  with  user-input  specifications  written  in  the 
more  “natural”  languages  of  temporal  logics,  and  then  translated  into  that  of 
the  //-calculus. 

This  paper  challenges  that  practice,  and  demonstrates  that  the  propositional 
//-calculus  and  various  of  its  modal  logic  extensions  can  provide  both  an  expres¬ 
sively  rich  and  “human  readable”  formalism  for  reasoning  about  properties  of 
hybrid  dynamical  systems. 

We  begin  with  the  “machine”  or  transition  system  models  of  hybrid  systems, 
in  which  both  sorts  of  state  transformation  -  continuous  evolution  within  a 
control  mode,  and  the  effects  of  discrete  jumps  between  control  modes  -  are 
uniformly  represented  as  abstract  transition  relations  r  C  X  x  X  over  a  hybrid 
state  space  X  C  Q  x  Rn,  where  Q  is  a  finite  set  of  control  modes  or  discrete 
states. 

Formally,  define  a  labeled  transition  system  (LTS)  (or  generalized  Kripke 
model )  to  be  a  structure 


9n=(x,{aOT}a€r,{||p|r}p6(f)  (1) 

where  X  ^  0  is  the  state  space  (of  arbitrary  cardinality);  for  each  transition 
label  a  £  E>  a371  C  X  x  X  is  a  binary  relation  on  X ;  and  for  each  propositional 
constant  (observation  or  event  label)  HpII^  Q  X  is  a  fixed  subset  of  X. 

An  LTS  model  is  a  clean  and  simple  abstraction  of  a  finite  automaton .  Such 
an  9Jt  is  an  abstract  machine  over  state  space  X,  with  input  or  action  alphabet 

E  and  transition  map  S  :  X  x  E  — )>  V(X)  given  by:  x '  E  £(x,a)  iff  x  — >  xf. 
It  is  additionally  equipped  with  an  observation  alphabet  and  an  output  map 
o  :  X  V($)  given  by:  o(x)  =  {p  E  #  |  x  E  ||p||OT};  sets  of  initial  or  final  states 
can  be  identified  by  specific  labels  in 

A  (basic)  hybrid  automata  %  is  typically  represented  by  a  graph  of  the  form 
depicted  in  Figure  1.  Hybrid  automata  and  their  associated  LTS  models  are 
examined  in  more  detail  in  Section  2;  for  now,  we  give  a  high-level  description, 
based  on  Henzinger’s  “time- abstract”  transition  system  in  [19]  §1.2. 


Fig.  1.  Basic  hybrid  automaton 


An  LTS  model  Tin  of  a  hybrid  automaton  71  has  a  state  space  X  CQx  Mn, 
with  Q  finite.  So  states  are  pairs  (5,  z),  where  q  £  Q  and  x  =  (a?i, xn)  £  3Rn. 
For  each  q  £  Q,  let  Xq  C  Mn  be  the  projection  of  X  under  q .  The  transition 
alphabet  X  will  include  symbols  such  as  eq  for  the  relation  of  evolution  (a 
“time-step”  or  “continuous  transition”)  within  each  discrete  mode  q  £  Q.  In  the 
basic  case,  such  a  relation  is  defined  by:  (g,  x)  — (g,  xf)  iff  there  is  an  integral 
curve  along  the  flow  <j>q  connecting  x  £  Xq  to  x*  £  Xq,  and  all  points  on  the 
curve  between  x  and  x'  lie  inside  the  invariant  set  Invq  C  Xq.  The  transition 
alphabet  will  also  include,  for  each  edge  (g,  g')  in  the  discrete  transition  graph 
G  C  Q  x  Q  of  71,  a  symbol  cg>g/  for  the  controlled  jump  relation  (a  “step”  or 
“discrete  transition”)  modeling  the  effect  of  making  a  controlled  switch  from 

mode  q  to  mode  qf .  Such  relations  are  standardly  defined  by:  (g,  a:)  (g',  xf) 

iff  x  £  Grdq>q',  x *  £  Invqt ,  and  x1  £  rq>q'(x ),  where  rq>qf  C  Xq  x  Xqt  is  a  reset 
relation  for  the  real- valued  coordinates,  and  the  domain  Grdqtq>  C  Xq  is  known 


as  the  guard  set  of  the  discrete  transition  (g,  q').  The  alphabet  #  of  atomic 
propositions  will  include  Initg  and  Invg  for  q  E  Q}  and  Grdgg'  for  (g,  qf)  E  G. 

A  trajectory  of  %  is  a  finite  or  infinite  sequence  {£*,  g»,  7i)»€l  such  that  for 
each  i  £  I:  the  duration  >  0;  the  curve  7,-  :  [(),£»]  — >  Xqi  is  such  that 

(?«t7.-(0))  (?>>7«(0)  for  all  t  e  [0,*];  (g,,g«+i)  €  G\  and  (g,-,  7,- (<£,)) 

(tft+i>7i+i(0))-  When  /  is  finite,  with  largest  element  N,  it  is  allowed  that 
fa  =  00.  When  a  hybrid  automaton  is  thought  of  as  a  discrete  controller  in¬ 
teracting  with  a  physical  plant,  the  class  of  trajectories,  so  defined,  are  founded 
on  implicit  operational  assumptions  of  continuous  and  perfect  precision  sensing, 
and  instantaneous  control  switches  ([19]). 

In  the  modal  -  as  distinct  from  temporal  -  variant  of  the  //-calculus1,  the 
propositional  language  (over  an  alphabet  (£,$))  includes  a  dual  pair  of  modal 
operators  [a]  and  (a),  for  each  transition  label  a  £  E.  The  (standard)  relational 
Kripke  semantics  of  the  labeled  modalities  are  given  by  the  universal  and  exis¬ 
tential  pre-image  operators  of  the  corresponding  relations  r  =  am.  For  relations 
r  C  X  x  Y,  and  sets  A  C  Y, 


r(r)(A)  =S=  {  x  €  X  |  (Vy  E  Y)[  x  y  =►  y  E  A]  } 

<r(r)(A)  =  {  x  E  X  |  (3y  £  Y)[  x  y  A  y  E  A]  } 


(2) 


In  the  notation  of  [20],  <x(r)  =  pre[r]  and  r(r)  =  pre[r].  The  semantic  readings 
of  the  modalities  are  forward- looking,  and  in  temporal  logics,  they  are  known  as 
relativized  next  operators: 

[a]  (p  ^  “All  a-successors  satisfy  <pn 

(a)  ip  ^  “ Some  a-successor  satisfies  <p” 

The  temporal  variant  of  the  //-calculus  usually  works  with  the  global  transition 
relation  Rm  =  (JaeI7  ^  (standardly  assumed  to  be  total)  and  the  modal  oper¬ 
ators  are  replaced  by  global  temporal  “next”  operators:  VX  or  VO>  and  3X  or 

3°.  ^ 

Sentences  ip  of  the  //-calculus  denote  sets  of  states  \\(p\\~  CX,  and  a  sentence 
is  true  in  971,  written  £91  ip  ,  iff  ||^||^  =  X,  or  equivalently,  = 

0.  The  propositional  connectives  -i,  A  and  V  are  interpreted  by  set  theoretic 
complement,  intersection  and  union,  and  other  connectives  and  constants  defined 
in  the  usual  way.  In  particular,  Htt]^  =  X,  and  an  implication  ip  — »  ^  is  true 
in  971  exactly  when  Q  IMI2*-  As  a  point  of  contrast,  in  the  language 

of  linear  temporal  logic  LTL,  sentences  denote  sets  of  (finite  or  infinite)  paths 
or  trajectories  of  the  LTS  model,  rather  than  sets  of  states.  In  the  language 
of  the  branching  temporal  logic  CTL*,  there  are  two  sorts  of  sentences:  state 
sentences,  true  or  false  at  states  of  the  LTS  model,  and  path  sentences,  true  or 


1  The  formal  syntax  and  semantics  of  the  //-calculus  are  reviewed  in  detail  in  Section 
3  below.  For  an  account  of  the  modal  and  temporal  flavors  of  the  //-calculus,  see 
[38]  §4.2.  [15]  is  a  good  source  for  translations  of  various  linear  and  branching  time 
temporal  logics  into  the  //-calculus.  For  background  on  modal  logics,  see  [9],  [35]. 


false  of  infinite  paths  through  the  model.  An  3  or  V  path  quantifier  applied  to 
a  path  sentence  produces  a  state  sentence,  and  such  quantification  is  definable 
using  the  least  and  greatest  fixed-point  quantifiers  of  the  ^-calculus. 

The  principal  advantage  of  working  in  the  modal  rather  than  temporal  frame¬ 
work  is  that  it  gives  a  modular  specification  language  for  expressing  properties 
of  transition  systems:  we  can  describe  and  reason  about  each  of  the  component 
transition  relations  of  an  LTS  model,  and  how  they  are  combined  to  form  more 
complex  transition  relations.  In  particular,  we  can  give  a  clean  and  modular 
formal  description  of  classes  of  trajectories  of  the  system. 

The  modal  sentences: 

^  [Cg, q >]<p  and  ^  ->•  [eq]<p 

with  the  semantic  readings  “If  ^  holds,  then  all  cq>qr -successors  satisfy  (p ” ,  and 
likewise  for  eq}  correspond  precisely  to  Manna  and  Pnueli’s  two  types  of  (tem¬ 
poral  logic)  safety  verification  conditions  for  hybrid  systems  in  [29]  §4.1.  Their 
notation  is:  {^}r{(p}  and  { xj;}cont{<p },  respectively,  where  r  ranges  over  jump 
transitions  and  “conf”  denotes  the  union  of  all  the  evolution  relations. 

The  modal  sentence 

( eqo  )  ( cqo  ,qi  )  (egi )  (Cqi  ,?2  )  (e9a  )  '  *  *  ( eqk - 1 )  (cqk  - 1  ,qk  ){eqk  )  (3) 

denotes  the  set  of  states  (qo,x)  from  which  some  trajectory  with  discrete  trace 
•  •  •  ,  qk)  reaches  the  set  C  X.  Dually,  the  modal  sentence 

[e9o] [c?o,9i  1  [e<?il [C$i >92! [e^a]  *  *  ’[egfc-i][cgfc-i,$J[egJ  *P  (4) 

denotes  the  set  of  states  from  which  all  (tfojtfi,--  -  ,  gjt)-trajectories  reach  the 
set  M*  upon  the  last  jump  cqk_liqk  and  remain  in  ||^||fln  throughout  the  last 
evolution  eqk . 

Defining  e  and  c  to  denote  the  relational  sum  (union)  of,  respectively,  the 
relations  for  the  eg’s  for  q  £  Q,  and  the  relations  for  the  c^/’s  for  ( q,q ')  G  G, 
the  dynamics  of  the  class  of  all  hybrid  trajectories  with  finite  discrete  traces  are 
captured  by  the  dual  fixed-point  definable  modalities: 

(h)<p  =  pZ.  (e)(pV  (e)(c)Z  and  [h ]<p  =  i/Z.  [e\(p  A[e][c]Z  (5) 

The  sentence  (h)  <p  “unwinds”  to  the  infinite  union  of  all  sentences  of  the  form 

(3) ,  and  dually,  [h]  (p  corresponds  to  the  intersection  of  all  sentences  of  the  form 

(4) .  As  a  regular  expression,  we  have  h  =  (ec)*e  =  e(ce)*  (so  we  are  in  fact 

working  in  the  weaker  propositional  dynamic  logic  PDL,  rather  than  the  full  p~ 
calculus.)  Semantically,  (h)  and  [h]  correspond  to  the  dual  pre-image  operators 
of  the  reachability  relation  h  of  the  system  under  the  control  of  'H\  that  is, 
(q,x)  -^4  ( q\x ')  iff  some  trajectory  (Si}  with  qo  =  q  and  7o(0)  =  x 

passes  through  the  point  (q',x'). 

We  now  have  the  formal  linguistic  machinery  to  succinctly  express  various 
system  specifications.  The  safety  sentence 

Init  [h]  <p 


(6) 


is  true  in  the  model  SJt  =  9%  exactly  when  every  trajectory  that  starts  in  the 
set  ||Init||OT  always  remains  within  ||<p||OT.  More  generally,  we  say  a  set  ||^||Sn  is 
future-invariant  under  %  exactly  when  the  sentence  <p  — >  [h]  p  is  true  in  97t.  We 
also  have  at  our  disposal  (previously  unutilized)  deductive  proof  systems  for  the 
/i-calculus,  such  as  Kozen’s  axiomatization  Lp  [23],  [5],  [40],  which  is  sound  and 
complete  over  arbitrary  LTS  models.  From  the  fixed-point  rules  of  (given  in 
Section  5),  one  readily  derives  an  obvious  invariance  rule  for  hybrid  trajectories: 

-►  <P  9  ->  [eq]<P  <P  for  9  €  Qi  (?>  ?')  €  G  (7\ 

4>-*\h)<P  K) 

This  is  a  simpler  /i-calculus  analog  of  the  LTL  invariance  rule  used  in  the  veri¬ 
fication  of  safety  properties  for  hybrid  automata  in  [29] ,  [30] . 

To  express  liveness  properties,  we  use  modal  analogs  of  the  “box-diamond” 
construct  in  temporal  logic.  For  example,  the  sentence 

<P~>  M(e)(c)(e}tt  (8) 

is  true  in  SPt  exactly  when  every  maximal  W  trajectory  from  a  state  in  ||y?||“ 
has  an  infinite  discrete  trace.  This  is  so  because  [h](e)(c)(e)  tt  denotes  the  set 
of  states  from  which  every  trajectory  with  a  finite  discrete  trace  can  be  prop¬ 
erly  extended.  Similarly,  the  sentence  (p  — y  [h](e)(c)(e)9?  is  true  in  9JI  exactly 
when  every  trajectory  from  returns  to  via  a  controlled  jump  in¬ 

finitely  often.  And  [h](h)y>  denotes  the  set  of  states  from  which  every  hybrid 
trajectory  eventually  reaches  Note  that  at  this  level  of  description,  we 

cannot  expressly  rule  out  Zeno  trajectories  (£*,  £*,  7i)*eJ  such  that  I  is  infinite 
but  <  °°>  by  considering  variant  evolution  relations  eq  defined  using 

a  minimal  time  duration  £,  we  could. 

A  clean  /i-calculus  definition  of  the  higher-order  modalities  (h)  and  [h]  also 
opens  up  new  possibilities  for  aggregation  in  complex  systems.  We  could  model 
a  complex  system  as  a  hybrid  “met a- automaton” ,  where  the  dynamics  at  each 
discrete  meta-mode  p  E  P  are  given  by  the  reachability  relation  hP  of  a  (basic) 
hybrid  automaton  over  state  space  Xp  C  Qp  x  Mn,  with  switching  relations 
from  Xp  to  Xpt  between  automata,  as  illustrated  in  Figure  2.  We  now  have  the 
machinery  with  which  to  formally  reason  about  the  dynamics  of  such  a  creature. 

We  also  gain  a  clearer  view  of  the  enterprise  of  symbolic  model  checking  for 
hybrid  and  real-time  systems,  as  implemented  in  tools  such  as  HyTech  and 
Kronos.  The  basic  task  of  such  systems  is  to  compute  the  reachable  region  of  a 
hybrid  dynamical  system  under  the  control  of  a  given  hybrid  automaton  %.  As 
noted  in  the  recent  paper  of  Henzinger,  Kupferman  and  Qadeer  [20],  to  capture 
the  notion  “reachable  from  (p ” ,  as  distinct  from  “reaches  <p ” ,  one  needs  in  the 
semantics  the  post-image ,  rather  than  the  pre-image,  operator  of  a  relation.  The 

cleanest  way  to  do  it  is  to  use  the  basic  identity:  post[r]  =  pre[r],  where  r  is  the 
relational  converse  or  inverse  of  r,  and  to  extend  the  /i-calculus  with  a  converse 
operation  governed  by  the  rule: 

(a)V>  — ►  <p  iff 


i>  [a\<P 


(9) 


Fig.  2.  Aggregation  in  complex  systems 


Then  the  sentence 


(h)  Init 


(10) 


denotes  the  reachable  region,  where  the  post  modalities  (h)  and  [h]  are  defined 
as  in  (5),  but  substituting  the  converse  relations.  Symbolic  model  checking  tools 

attempt  to  compute  the  value  of  ||  (h)  Init  H^71  as  a  first-order  formula  in  n  +  1 
free  variables  (z,  xj, a?„),  in  the  language  C(M)  of,  say,  the  structure  JR  = 
(R;<,-|-,— ,  *,0, 1,  {g}geQ)  as  the  real  closed  field2  plus  discrete  constants.  The 
procedure  computes  a  sequence  of  first-order  formulas  xo,  Xi>  Xk,  which  are 
translations  of  the  //-calculus  formulas  forming  the  approximation  sequence  for 

(h)  Init,  with  the  translation  starting  from  the  explicit  first-order  definitions  of 
the  set  Init  and  the  relations  eq  and  cqAt.  The  procedure  terminates  at  stage 
jfc  -h  1  if  the  formula:  Xfc+i  **  Xk  is  provable  in  the  first-order  theory  Th(M) 
of  the  relevant  structure  over  M,  in  which  case  the  reachable  region  is  defined 
by  Xk -  The  procedure  is  guaranteed  to  terminate  when  the  model  9JI  =  371?/ 
has  a  finite  bisimulation  quotient  97ta,  where  «  is  an  equivalence  relation  on 
X  C  Q  x  Mn  which  respects  each  of  the  transition  relations  eq  and  and  the 

2  The  real  closed  field  R  admits  elimination  of  quantifiers,  so  all  first-order  formulas 
in  the  language  are  provably  equivalent  in  the  theory  T7i(M)  to  a  quantifier-free 
formula.  The  definable  subsets  of  Rn  in  R  are  the  semi- algebraic  sets:  finite  unions 
of  sets  defined  by  equalities  and  inequalities  over  polynomials  /  G  R[Xi,  ...,Xn]  [14]. 


observation  sets  Initqi  Invqy  Grdq^ .  The  recent  work  by  Lafferriere,  Pappas, 
Sastry  and  Yovine  [27],  [28],  identifies  a  class  of  systems  whose  LTS  models 
97tft  are  first-order  definable  in  an  o-minimal  structure  M  expanding  the  real- 
closed  field.  The  finite  cell  decomposition  property  of  such  structures  (together 
with  a  restriction  on  the  form  of  the  controlled  jumps  relations  cqiq»)  is  used 
to  construct  the  finite  bisimulation  equivalence.  (The  theory  of  definable  sets  in 
o-minimal  structures  is  developed  in  van  den  Dries’  monograph  Tame  Topology 
and  O-minimal  Structures  [14].) 

The  basic  propositional  modal  //-calculus  can  provide  both  a  usable  and  a 
richly  expressive  formalism  for  reasoning  about  the  abstract  dynamics  of  hybrid 
systems.  We  want  and  need  more.  We  want  to  be  able  to  express  in  our  logical 
formalisms  what  we  mean  by  continuous  and  discrete  dynamics,  and  hybrids 
of  the  two.  We  want  to  be  able  to  formally  express  notions  of  imprecision  or 
metric  tolerance ,  such  as  the  property  of  “being  within  distance  e”  of  a  set,  for  a 
particular  e  >  0.  More  generally,  we  want  a  logical  formalism  that  supports  not 
only  the  specification  and  verification  of  single  properties,  but  the  larger  task  of 
representing  and  building  up  a  knowledge  base  of  properties  of  a  system,  starting 
with  structural  properties  assumed  in  the  modeling,  and  then  adding  new  facts 
as  they  are  verified  by  either  model-checking  or  deductive  means. 

The  remainder  of  this  paper  is  an  exploration  of  how  the  propositional  modal 
//-calculus  can  form  a  basis  for  a  cohesive  and  expressively  rich  logical  frame¬ 
work  for  the  formal  analysis  of  hybrid  systems.  In  developing  the  logics,  our  key 
resources  include: 

1.  modal  logics ,  considered  as  a  general  formalism  for  reasoning  about  binary 
relations  and  operators  on  sets  ([9],  [35],  [38],  [5]);  and 

2.  set-valued  analysis  and  dynamical  systems  theory ,  brought  into  play  by  con¬ 
sidering  transition  relations  rClxXin  their  equivalent  form  as  set-valued 
maps  r  :X  ^  X,  i.e.  functions  r  :  X  ->  V(X)  ([1],  [6],  [7]). 

In  the  course  of  this  paper,  it  will  be  important  to  keep  an  eye  on  both  the 
distinction  and  the  interplay  between: 

—  the  //-calculus  and  various  extensions  as  propositional  modal  logics  (and  thus 
ultimately  monadic  second-order  logics  [25]),  in  which  formulas  of  the  same 
formal  language  can  be  meaningfully  interpreted  in  a  variety  of  LTS  models 
of  any  cardinality;  in  particular,  in  both  continuum-sized  models  971  and  in 
finite  quotients  971**;  and 

—  the  first-order  languages  £(M)  and  theories  T7i(R )  of  specific  structures  M  = 

(R;  — , •, 0,1,...)  over  the  reals,  used  in  defining  the  components  -  the 

state  space  X ,  the  transition  relations  am  and  observation  sets  Hp])^  -  of 
particular,  albeit  intended,  LTS  models  971. 

With  regard  to  the  latter,  note  that  in  the  theory  of  o-minimal  structures,  rela¬ 
tions  r  :Rm  Rn  go  by  the  name  of  definable  families  (rx)xE^m  ([14]  §3.3). 


To  restate  the  point,  the  system  description  language  is  that  of  first-order 
logic,  while  the  system  specification  language  is  that  of  propositional  polymodal 
logic  with  fixed-point  quantifiers. 

This  paper  is  one  installment  of  a  larger  project.  An  analysis  of  the  concept 
of  bisimulation,  and  its  relation  to  the  algebraic  semantics  for  the  //-calculus,  is 
given  in  [11],  and  [12]  gives  the  completeness  of  deductive  proof  systems  for  nor¬ 
mal  polymodal  extensions  of  the  //-calculus.  Related  logics  and  earlier  versions 
of  some  of  the  ideas  are  found  in  [10]. 

The  paper  is  organized  as  follows.  Section  2  is  a  review  and  analysis  of  basic 
hybrid  systems  and  their  associated  LTS  models.  Section  3  is  a  review  of  the 
syntax  and  LTS  semantics  of  the  modal  //-calculus.  In  Section  4,  we  flesh  out  the 
skeleton  of  an  LTS  model  by  imbuing  the  state  space  with  topological  and  metric 
tolerance  structure;  we  explore  continuity  and  tolerance  properties  of  relations  r  : 
X  Y  and  applications  to  components  of  hybrid  automata.  Section  5  presents 
deductive  proof  systems  for  the  new  logics,  extending  Kozen’s  axiomatization  of 
Lm.  Section  6  is  a  brief  discussion  of  ongoing  research. 


2  Basic  hybrid  automata  and  associated  LTS  models 

First,  a  note  on  notation.  For  a  set  X,  V(X)  denotes  the  family  of  all  subsets  of 
X  (a  complete  Boolean  algebra).  Following  [6],  the  notation  r  :  X  ^  Y  means 
r  C  X  x  Y  is  a  relation,  or  equivalently,  r  :  X  — >  V{Y)  is  a  set- valued  map,  with 
values  r(x)  C  Y  for  x  €  X.  The  expressions: 

x  y,  (x, y)  £  r,  y  E  r(x)  and  xry 

are  synonymous.  The  domain  of  r  :  X  Y  is  defined  by  dom(r)  =  <r(r)(Y), 

and  the  range  ran (r)  ==  <r(r)(X)  =  dom(r).  Relational  compositions  r  •  s  of 
r  :X  and  s  :Y  Z  are  read  from  left  to  right  in  sequential  order,  defined 
by: 

x  z  =  (3 y  E  Y)  x  — >  y  and  y  z 

(cf.  [1]  where  composition  is  written  in  the  reverse  order,  as  for  functional  com¬ 
position.) 

We  base  our  discussion  on  a  generalization  of  the  systems  considered  in 
[27], [28],  depicted  in  Figure  1.  Figure  3  is  an  illustration. 

Definition  1.  A  (basic,  evolution  time- deterministic)  hybrid  system  is  a  struc¬ 
ture 

=  ( Q ,  G,  {XqjqtQ,  {<f>q}q£Q,  {Initq}q£Q ,  {InVq}q£Q  , 

{ r9,?' }  (<?.<?') e G .  {Grdqigi }(,,,<) 6 g) 


where 


—  Q  is  a  finite  set  of  discrete  states  or  control  modes; 

-  G  CQ  x  Q  is  the  control  graph  of  discrete  transitions; 

—  for  each  q  E  Q, 

•  Xq  CMn  is  the  state  space  for  mode  q; 

•  <f)q  :  Xq  x  ->  Xq  is  the  continuous  semi-flow  of  a  vector  field  on  Xq; 

•  Invq  C  Xq  is  the  set  of  invariant  states  for  mode  q,  or  the  domain  of 
permitted  evolution  within  mode  q; 

•  Initq  C  Invq  is  the  set  of  initial  states  for  mode  q  (possibly  empty); 

-  for  each  discrete  transition  {q,qf)  EG, 

•  Grdqtqt  C  Xq  is  the  guard  set  for  the  jump  from  q  to  qf ; 

•  rq}qt  :  Xq  Xq »  is  the  reset  relation ; 

for  x  E  Xq,  rq}qt(x)  C  Xq*  is  the  set  of  possible  reassignment  states  after 
the  jump  from  q  to  qf . 

The  hybrid  state  space  of  the  system  %  is  the  set 

x  =  l)q€Q  {?}  X  xq 

To  keep  things  simple,  assume  a  fixed  number  n  of  real- valued  coordinates, 
so  Xq  C  Rn  for  each  q  E  <?•  In  [27], [28],  the  systems  under  consideration  are 
simpler  again  in  that  they  have  constant  reset  relations  rq>q>  =  Grdq >q>  x  Rstq)q* , 
with  the  constant  set  of  reassignment  states  Rstq}qt  C  Invq> . 

The  intention  is  that  a  hybrid  system,  so  defined,  is  the  semantic  content 
of  a  hybrid  automaton  in  the  sense  of  Henzinger  [19],  Def.  1.1.  For  definiteness, 
we  take  a  (basic,  evolution  time-deterministic)  hybrid  automaton  to  be  a  hybrid 
system  %  with  a  concrete  syntactic  description ,  namely: 

-  the  discrete  structure  is  given  by  a  finite  graph  (Q,  G),  where  G  C  Q  x  Q; 

—  each  of  the  component  sets  Xq ,  Initq ,  Invq ,  Grdq^  C  Mn,  semi-flows 

<f>q  :  Xq  x  M+  -¥  Xq,  and  reset  relations  rqtq>  C  Xq  x  Xq>  have  explicit 
first-order  definitions  in  the  language  £(<,  +,  — ,  *,  0, 1, ...)  of  some  specified 
structure  R  over  the  reals. 

From  [27],  [28],  we  have  reason  to  want  such  a  structure  R  to  be  o-minimal. 

Operationally,  a  hybrid  automaton  %  can  be  thought  of  as  defining  a  non- 
deterministic  hybrid  control  policy ,  partially  defined  on  states  [z,  x)  E  X: 

if  z  —  q  and  x  E  Invq 

then  stay  in  discrete  mode  q  and  continue  evolution  according  to  <f>q ; 
if  z  =  q  and  x  E  Grdqtqt  for  some  (g,  q')  E  G, 

then  switch  to  discrete  mode  g',  re-initialize  to  some  x '  E  rqtqi(x ), 
and  then  evolve  according  to  the  flow  <j>q> . 

The  domain  of  definition  of  %  is  given  by: 

dom('H)  =  (ug€<3  {9}  X  InVq'j  U  (U(q,,')€G  {9}  x  Gr<w) 


Fig.  3.  Operation  of  basic  hybrid  automaton 


If  z  —  q  and  x  £  GrdqA »  for  some  (g,  g')  £  G,  then  that  discrete  control  switch 
is  said  to  be  enabled ;  if  (g,x)  £  dom(?/)  but  x  £  Invqi  then  some  discrete 
control  switch  is  said  to  be  forced.  It  is  generally  assumed  that  r9j?/(x)  C  Invqt 
for  all  x  £  GrdqA *;  in  words,  Invq>  is  (forward)  rqtqr -invariant  from  Grdqiq>.  In 
some  expositions  (e.g.  [27]),  it  is  required  that  %  be  total  or  non-blocking ,  which 
amounts  to  the  assumption  that  dom(?i)  =  X. 

In  descriptions  of  the  operation  of  a  hybrid  automaton  and  the  ensuing  class 
of  trajectories  of  the  system,  it  is  generally  assumed  (e.g.  [19])  that  the  state 
x  =  (xi,...,3Cn)  £  Mn  of  the  physical  plant  is  being  continuously  sensed ,  with 
perfect  precision ,  and  that  the  action  and  effect  of  a  discrete  control  switch  is 
instantaneous. 

The  accepted  ([19],  [27])  definition  of  the  (“time- abstract”)  transition  system 
of  a  hybrid  automaton,  with  modified  notation,  is  as  follows. 

Definition  2.  Given  a  hybrid  system  %}  the  LTS  model  determined  by  % 
has  the  following  components: 

—  the  state  space  X  =  U q^Q  {g}  x  Xq; 


—  for  each  discrete  state  q  E  Q,  the  constrained  evolution  relation 
eq:Xq^  Xq  defined  by: 

iAx'  =  (3t  E  R+)[  x'  =  <j>q{x,  t)  A  (Vs  E  [0,  t])  <j>q{xy  s)  E  Invq  ] 

—  for  each  discrete  transition  (g,  q')  E  G,  the  controlled  jump  relation 
cqtq»  :  Xq  ^  Xq>  defined  by: 

X  c±$.  xf  ±  x  £  Grdqiq‘  A  x'  E  Invqi  A  x  x' 

—  ffte  observation  sets  Xqj  Initq,  Invqj  Grdq)q /. 

We  adopt  the  notational  convention  of  identifying,  when  convenient,  sets 
Aq  C  Xq  and  {q}  x  Aq  Cl;  moreover,  the  relations  eq  :  Xq  ^  Xq  and  cqtqt  : 
Xq  Xq*  can  be  “lifted”  to  relations  X  ^  X  in  the  obvious  way. 

From  the  definition  of  the  evolution  relation  eq}  a  desired  property  of  the 
domain  of  evolution  Invq  is  that  it  be  convex  with  respect  to  the  semi-flow  <j)q} 
in  the  sense  that: 


if  x  E  Invq  and  <f)q(x>t)  E  Invq  for  some  t  >  0, 
then  <t>q(x ,  s)  E  Invq  for  all  s  E  [0,  t] 

So  no  curve  segment  of  the  semi-flow  with  both  endpoints  in  Invq  ever  leaves 
Invq  at  an  intermediate  point. 

In  the  terminology  of  [1]  Ch.  6,  Definition  6.3,  the  (positive)  orbit  relation 
f  :  X  X  of  a  semi-flow  <f>  :  X  x  X  is  defined  by: 

x-Ux'  =  (3 *em+)  x'  =  <j>{x,t)  (li) 


With  respect  to  the  orbit  relation  fq  :  Xq  Xq  of  <t>q,  the  desired  convexity 
property  for  Invq  has  the  form: 


So  when  Invq  if  fq- convex,  we  have  the  decompositions 

eq  =r  fq  H  (Jnt^  x  Invq)  and  cqtq>  =  (1  {GrdqAi  x  Invq>) 

in  which  case  we  may  as  well  assume  the  LTS  model  includes  the  (uncon¬ 
strained)  orbit  relations  fq  and  the  uncontrolled  reset  relation  rq}q> .  If  we  want 
to  express  properties  which  require  both  the  orbit  relation  fq  and  its  converse 

(convexity  is  one  such),  then  we  should  include  fq  as  a  component  of  93t^  as 
well  (see  also  [20]). 

The  modularity  of  the  modal  //-calculus  allows  us  to  succinctly  express  not 
only  desired  properties  -  i.e.  those  to  be  verified,  but  also  various  of  the  structural 
properties  of  the  LTS  model  971^  that  it  will  typically  possess  by  assumption.  In 


a  deductive  framework,  such  sentences  and  sentence  schemes  (formulas  with  free 
propositional  variables  Z)  provide  an  initial  stock  of  facts  known  to  be  true  in 
the  model,  and  serve  as  hypotheses  in  application  of  inference  rules  when  seeking 
to  expand  one’s  stock  of  knowledge. 


[1] 

(f,)Inv,  A  (f,)Inv,  -4  Inv, 

[2] 

Init9  -4  Inv, 

[3] 

[4] 

Init  44  Vq6 q  Init9 

Inv  44  V,eQ  Inv, 

[5] 

(rq,q')Grdq,q'  I»V,» 

[6] 

Grd9,?'  (Tq, I')** 

[7] 

(eq)Z  44  Inv,  A  (f q)(Z  A  Inv,) 

[8] 

(eq)Z  44  Inv,  A  (f q)(Z  A  Inv,) 

[9] 

(cq,ql)Z  44  Grd5i,/  A  A  Inv,') 

[101 

(c q,q')Z  44  Inv,'  A  (r q,q'){Z  A  Grd,,,/) 

[HI 

<f)Z44V,eQ  (f q)Z 

[12] 

Z  -4  <f  )Z 

[13] 

(f,)<f,)Z  -4  (fq)Z 

[14] 

(e)Z  <"4  Vq£Q  (eq)Z 

[15] 

(c)Z  44  V(g,g')eG  (cq,q')Z 

[16] 

(h)tt  44  V,6Q  Inv9  V  V(,,,')6G  Grd?>?' 

[1]  says  that  Invq  is  /^-convex.  [2]  is  merely  that  Initq  C  Invq.  [3]  and  [4]  define 
the  global  initial  and  invariant  sets.  [5]  is  the  assumption  that  Invq>  is  (future) 
r9jg/-invariant  from  Grdq>q /.  [6]  says  that  every  point  in  Grdq>qt  has  an  rg>g/- 
successor;  i.e.  Grdq>q /  C  dom(rqqt).  [7]  -  [10]  follow  from  the  decompositions 
eq  =  fq  n  ( Invq  x  Invq)  and  cqA>  =  rq> q>  0  ( Grdq)q>  x  Invqi).  In  particular,  using 
the  rule  for  converse  (9)  in  Section  1  above,  we  have: 

V?  -4  [e,]y>  iff  Inv,  A  (f q)(<p  A  Inv,)  -4  <p 

(12) 

and 

V  -4  [Cq.q'lv  iff  Inv,/  A  (r q,q')(<p  A  Grd,,,/)  -4  <p 

(13) 

[11]  defines  /  as  the  union  of  the  orbit  relations  fq.  From  the  zero  semi-flow 
property,  each  fq  is  reflexive  on  its  domain  Xq ,  so  /  is  reflexive  (and  total) 
on  the  whole  space  X,  which  is  [12].  From  the  sum  semi-flow  property,  each 
fq  is  transitive;  this  is  [13].  [14]  and  [15]  are  the  definitions  e  =  U eq  and 
c  =  U(gjg/)€G  cqtqi.  From  [7],  [14]  and  [12],  it  follows  that: 

(Z  A  Inv)  (e)(Z  A  Inv)  (14) 

that  is,  the  relational  sum  e  is  reflexive  on  its  domain.  And  from  [7]  and  [13],  we 
get: 


{eq)(eq)Z  (eq)Z  (15) 

which  says  each  eq  is  transitive. 

[16]  defines  the  domain  dom(7£).  The  definitions  of  (h)  and  [h]  in  (5)  above 
should  also  be  added  to  the  list. 

Using  convexity  assumption  [1]  and  (12),  the  invariance  assumption  [5]  and 
(13),  and  the  invariance  rule  (7),  it  follows  that  Inv  — >  [h]Inv  will  be  true 
in  SD i.e.  the  set  Inv  is  future-invariant  under  %.  More  generally,  whenever 
Inv  ip  is  true  in  ©t?*,  then  Init  -4  [h]  <p  will  be  true,  and  thus  on  the 
current  interpretation,  \\<p\\m  is  safe  under  the  action  of  W,  since  no  (perfect 
precision)  hybrid  trajectory  starting  in  Init  ever  leaves  Inv .  So  in  this  scenario, 
the  situation  of  a  controlled  jump  being  forced  -  that  is,  (g,  x)  £  dom(H)  but 
x  £  Invq  -  can  in  fact  never  arise.  Perfect  precision  trajectories  start  or  land 
inside  Invqi  evolve  continuously  according  to  <j>q,  and  then  while  the  state  is  still 
inside  Invq ,  or  at  worst  on  the  (topological)  boundary  of  Invqi  a  jump  is  made 
according  to  cq^q> . 

In  some  accounts  of  the  LTS  model  of  a  hybrid  automata  (including  that  in 
[19]),  the  definition  of  the  constrained  evolution  relation  eq  is  slightly  weaker, 
with  the  requirement:  Vs  £  [0 ,t),  <f>q(x,s)  £  Invq)  so  the  end-point  <j>q{x,t) 

need  not  lie  in  Invq.  If  Invq  is  closed  (in  the  standard  topology  on  Xq  C  Mn), 
then  the  continuity  of  <j>q  :  Xq  xl+  — >  Xq  entails  that  all  such  end-points  will  lie 
in  Invq  regardless,  so  the  weakening  makes  no  difference.  In  virtually  all  concrete 
examples  of  hybrid  automata  in  the  literature,  the  invariant  sets  Invq  are  closed. 

In  Section  4,  when  we  adjoin  modalities  corresponding  to  the  interior  and 
closure  operators  of  a  topology,  we  will  be  able  to  formally  express  properties 
such  as  being  open,  closed,  or  the  topological  boundary  of  a  set.  We  will  also  be 
able  to  give  formal  expression  to  the  assumption  that  the  orbit  relations  fq  are 
those  of  continuous  semi-flows,  and  to  consider  consequences  of  continuity. 

We  also  clearly  need  to  entertain  the  possibility  that  a  physical  realization  of 
a  hybrid  automaton  as  a  control  policy  might  be  less  than  perfect :  sensors  will 
be  accurate  only  up  to  some  level  of  precision;  we  should  allow  for  delay  between 
sensing  the  state  and  acting  on  that  sensor  reading  in  accordance  with  the  control 
policy;  and  then  there  are  margins  of  error  in  real- valued  constants  used  in  first- 
order  definitions  of  the  components  of  the  model.  In  Section  4,  we  will  consider 
alternative  classes  of  hybrid  trajectories  by  playing  with  the  definitions  of  the 
fixed-point  modalities  (h)  and  [h]  in  an  enriched  modal  language  containing 


modalities  (e)  and  [e]  interpreted  by  metric  e-tolerance  relations,  for  concrete 
values  of  e  >  0. 


3  Syntax  and  LTS  semantics  of  the  modal  //-calculus 

The  //-calculus  originated  in  the  late  1960’s  (Scott  and  de  Bakker)  as  a  formal 
logic  of  digital  programs,  the  input-output  behavior  of  an  atomic  program  being 
represented  as  a  binary  transition  relation  on  (discrete)  states.  Contemporary 
introductions  to  the  //-calculus  can  be  found  in  [38],  [15].  In  this  section,  we 
review  the  syntax  and  semantics  over  LTS  models  of  the  propositional  modal 
//-calculus. 

Definition  3.  A  modal  signature  is  a  pair  (#,  E),  where  <!>  is  a  set  of  proposi¬ 
tional  constants  and  £  is  a  set  of  transition  labels.  Let  PVar  denote  a  fixed  set 
of  propositional  ( second-order  or  set-valued)  variables.  The  collection  T^{^,£) 
of  formulas  of  the  propositional  modal  p-calculus  is  generated  by  the  grammar : 

<{>  ::=  ff  I  P  I  Z  I  -<ip  I  <pi  V  <p2  I  (a)ip  \  pZ.ip 

for  propositional  constants  p  E  <P,  propositional  variables  Z  E  PVar,  and  tran¬ 
sition  labels  a  £  1 7,  and  with  the  proviso  that  in  pZ.p,  the  variable  Z  occur 
positively,  i.e.  each  occurrence  of  Z  in  ip  is  within  the  scope  of  an  even  number 
of  negations. 

The  other  (classical)  propositional  connectives,  modalities  and  greatest  fixed 
point  quantifier  are  defined  in  the  usual  way: 

tt  =  -iff  <P\  A  p2  —  “|(^1  V 

p\  — >  p>2  —  V  (p2  <fl  <p2  —  {<Pl  <pz)  A  (<p2  Pi) 

[a](p  =  vZ.fp  =  ~^pZ.^p[Z  :=  -*Z] 

An  occurrence  of  a  variable  Z  E  PVar  in  a  formula  that  is  within  the  scope  of 
a  pZ  is  called  bound ,  otherwise  it  is  free  (as  in  first-order  logic).  Let  £) 

denote  the  set  of  all  sentences ,  or  closed  formulas  of  .?>(#,  X),  i.e.  those  without 
any  free  variables,  and  let  ^(#,17)  and  S(<P,  £)  denote,  respectively,  the  set  of 
all  purely  modal  formulas  and  sentences,  i.e.  those  containing  no  fixed  point 
quantifiers,  and  in  case  of  sentences,  no  variables  Z. 

For  formulas  p,  ip  E  ,?>(#,  X),  let  p[Z  :=  ip]  denote  the  result  substituting  ip 
for  all  free  occurrences  of  Z.  By  renaming  bound  variables  in  <p  if  necessary,  we 
can  assume  such  substitutions  do  not  result  in  the  unintended  capture  of  free 
variables. 

Definition  4.  Given  an  LTS  971  =  (X,  {Ibll^lpe*)  °f  modal  signa¬ 

ture  ($,£),  a  (propositional,  or  second-order)  variable  assignment  in  9Jt  is  any 


map£  :  PVar  — >  V(X).  Each  such  assignment  £  uniquely  extends  to  a  denotation 
map  ||.||f  :  E)  —¥  V{X)  as  follows: 

||ff||f  =  0 

iwif  =  iwr 

||Z||f  =  i(Z)  forZE  PVar 

Ibdlf  =  x-mT 

IbiV^Ilf  =  Ibillf  uMf 

IKaHlf  ^  ir(a®)(|M|f)  Maer 

\\t*Z.<p\\?  =  n{^4  €  P(X)  I  M?(a/z)  c  ,4  } 

where  the  pre-image  operator  a(am)  is  defined  as  in  (2)  above,  and  for  sets 
A^T(X)t  the  variant  assignment  £(A/Z)  :  PVar  — >  V(X)  is  given  by: 


£(A/Z){W)  =  £{W)  if  W^Z,  and  Z{A/Z){W)  =  A  if  W  =  Z. 

For  formulas  (p  G  -27)  and  assignments  £  :  PVar  -4  V(X)  in  97 1,  we  say; 

—  97  is  true  at  state  x  in  (9Jt,£),  written:  971,  1=  <p,  iff  x  G  ||v?||^\' 

—  97  is  true  in  (971, £),  written:  <p,  iff  jl^llf1  =  X;  i.e.  <p  is  true  at 

all  states  x  in  (97t,£);  and 

—  cp  is  true  in  971,  written:  97 It  p,  iff  <p  is  true  in  (97t,£)  for  all  assignments 
£  in  971. 

For  sentences  <p  G  «S^(#,  27%  the  denotation  \\pl\f1  is  independent  of  the 

variable  assignment  f,  and  is  written  IMI^.  So  971  t  p  iff  97t,£  1=  p  for  any 

assignment  f. 

Given  a  model  971  and  variable  assignment  £ ,  each  formula  p  G  Tp  (#,  27)  and 
each  variable  Z  G  PVar  free  in  p,  together  determine  an  operator  on  sets 
pfz  :  T(X)  -4  7>(X)  given  by: 

(<P?!z)  (A)  =  M\f(A/z)  (16) 

The  variant  assignment  construct  corresponds  to  substitution:  for  all  formulas 

tzr^E), 

(<pf!z)m?)  =  Mz-.=n\T  07) 

When  the  variable  Z  occurs  positively  within  (p ,  so  pZ.p  G  27),  the  oper- 

ator  ipfz  is  C-monotone: 

ACB  =*  F(j4)  C  F(B) 


for  F  =  (pf^z .  The  clause  in  Definition  4  for  //-formulas  says  that  ll/zZ.^II^1  is 
the  C -least  pre- fixed- point  of  the  monotone  operator  <pffz  in  the  complete  lattice 
V(X ).  So  by  the  Tarski-Knaster  fixed-point  theorem,  \\pZ  .(p\[^  must  also  be  the 
C-least  fixed-point  of  ls: 

WvZ-vWf  =  e  W  I  =  A  } 


In  the  standard  set-theoretic  semantics  for  the  //-calculus,  as  presented  here 
and  given  in  [23],  [38],  [40],  [15],  the  propositional  variables  Z  range  over  the 
full  power-set  (and  complete  Boolean  algebra)  V(X)  —  that  is,  all  subsets  of  X . 
An  alternative,  developed  by  Kwiatkowska  and  colleagues  [5],  [8],  is  an  algebraic 
semantics  in  which  the  range  of  propositional  variables  is  restricted  to  a  sub¬ 
family  A  C  V(X).  This  work  has  roots  in  a  number  of  classic  studies  from 
the  1950’s,  notably  that  of  Henkin  [18]  on  completeness  of  higher-order  logic;  of 
Jonsson  and  Tarski  [26]  on  Boolean  algebras  with  operators;  and  that  of  Rasiowa 
and  Sikorski  [36]  on  algebraic  logic. 

Definition  5.  ([5],  [8]).  Given  an  LTS  model  DJI,  a  family  of  sets  A  C  V(X) 
is  said  to  be  a  modal  algebra  for  DJI,  and  the  pair  (DJI,  A)  is  known  as  a  modal 
frame,  when  each  of  the  following  holds: 

1 .  A  contains  each  of  the  observation  sets  ||p||flrt,  for  p  E 

2 .  A  is  a  Boolean  algebra  under  the  finitary  set-theoretic  operations;  and 

3.  A  is  closed  under  each  of  the  pre-image  operators  <r(am)  and  r(am),  for 
a£E. 

For  purely  modal  formulas  (p  E  T($,E),  the  clauses  in  the  inductive  defi¬ 
nition  of  the  denotation  ||^||^  Q  X  with  respect  to  a  modal  frame  (971,  .4)  are 

identical  to  those  in  Definition  4  for  with  the  proviso  that  variable  as¬ 

signments  £  are  restricted  to  A,  i.e.  £  :  PVar  A . 

A  formula  <p  is  true  in  the  frame  (971,  A),  written  (971,  A)  1=  <p,  iff  ||^||^  =  X 
for  all  assignments  £  in  A . 

An  LTS  model  DJI  is  identified  with  the  modal  frame  (9Jt,  V(X)). 

Modal  algebras  A  C  V(X)  need  not  be  complete  as  lattices,  so  unlike  V(X), 
we  have  no  guarantee  that  the  set  being  the  C-least  pre-fixed-point  of  <p£z 
fact  exists  in  A;  when  it  does,  it  is  the  least  fixed-point  in  A  of  <p£z ,  by  a  variant 
of  the  argument  in  the  Tarski-Knaster  fixed-point  theorem. 

Definition  6*  ([5],  [8]).  A  modal  algebra  A  C  T(X)  is  called  a  modal  //-algebra, 
and  the  pair  (DJI,  A)  called  a  modal  //-frame,  if  for  each  formula  pZ.tp  E  <?>(#,  X) 
the  infinitary  meet  or  infimum  of  the  family  in  A  of  pre-fixed-points  of  <p*z 

A  {A  €  A  |  |M|f(A/z)  -  A  } 

exists  in  A,  in  which  case  ||/zZ.</>||^  is  that  set. 


In  general,  the  denotations  and  HvHIjf  part  company  on  //-formulas, 

since  the  smallest  of  all  sets  A  £  P(X)  such  that  a  condition  holds  will  be 
contained  in  the  smallest  of  all  sets  A  £  A  for  which  the  same  condition  holds. 
In  [11],  we  identify  conditions  under  which  a  modal  //-frame  (SOI,  .4)  is  in  semantic 
agreement  with  JOT,  i.e.  for  all  //-formulas  (p  £  ^(#,17),  ||v?||^  =  IMlf1  f°r 
assignments  f  restricted  to  A.  The  smallest  //-algebra  for  an  LTS  J&t  is  the 
countable  algebra 

MIMS!?  €$„(*,  27)} 

of  denotations  of  //-sentences  in  JOT.  It  is  readily  verified  that  5®1  is  in  semantic 
agreement  JOT. 

From  the  purely  modal  clauses  in  Definition  4,  together  with  the  definitions 
of  the  pre-image  operators  in  (2),  it  follows  that  if  the  state  space,  transition 
relations  and  observation  sets  of  an  LTS  model  JOT  are  all  first-order  definable 
in  some  structure,  then  for  all  modal  sentences  (p  £  «S(4>,  17),  the  denotation 
IMi^  C  X  is  first-order  definable.  Otherwise  put,  the  countable  algebra 

$*={iMr  i  *>€$(*,£)} 

of  denotations  in  JOT  of  purely  modal  sentences,  has  a  finitary  syntactic  repre¬ 
sentation  as  a  family  of  first-order  formulas;  a  family  finitely  generated  by  the 
explicit  first-order  definitions  of  the  components  of  JOT,  under  the  straight-forward 
translation  of  modal  sentences  based  on  the  definitions  (2)  and  the  (classical) 
meaning  of  the  Boolean  connectives.  Of  course,  an  optimal  situation  is  when  the 
first-order  structure  admits  quantifier- elimination,  as  then  the  naive  translation 
of  a  modal  sentence  can  be  reduced  to  a  quantifier-free  formula,  and  so  the  al¬ 
gebra  Sm  will  have  a  simpler  and  more  tractable  representation.  Such  algebras 
are  the  semantic  content  of  Henzinger’s  notion  of  a  symbolic  execution  theory  in 
[19]  §3.1. 

Returning  to  the  standard  set-theoretic  semantics,  the  completeness  of  V{X) 
as  lattice  ensures  that  the  set  \\pZ.(p\f^  has  an  equivalent  characterization  (by 
the  Park-Hitchcock  fixed-point  theorem)  as  the  union  of  an  C-increasing  se¬ 
quence  of  approximations: 


where 


WnZ.'pW?  =  U  IM& 

a<Or<i(flrt) 


IMS  =0 

imSh-i  -  <pf!z  (imiS) 

IMIS  -  u  IMS*  for  limit  ordinals  rj 

Ot<f] 


and  Ord[$Jl)  <  /c+,  for  k  —  Card(X ),  is  the  closure  ordinal  of  The  sets 

are  //-approximations  of  Likewise,  the  denotation  of  vZ.<p  can  be 

represented  as  the  intersection  of  an  C-decreasing  sequence  of  //-approximations. 

In  the  general  case,  over  LTS  models  9Jt  of  arbitrary  cardinality,  approxima¬ 
tion  sequences  for  the  denotation  of  fixed-point  formulas  proceed  through  trans- 
finite  ordinals;  when  X  has  the  cardinality  of  the  continuum,  Or<f(9Jt)  could  be 
much  longer  than  we  care  to  deal  with. 

When  the  operator  (p^z  corresponding  to  the  body  of  a  //-formula  pZ.(p  is 
cj -chain-additive,  that  is,  for  F  =  <pj^z 

F  (  U  An  )  =  U  wbere  An  C  ^4n+1  for  all  n  <  u 

\n<w  /  n<w 

then  the  ordinal  of  convergence  for  is  at  worst  u.  In  this  case,  we  have 

a  sequence  of  approximation  formulas 

<p°  ==  ff  and  <pn+1  =  (p[Z  :=  <pn]  for  n  <  uj  (18) 

and 

ii/^nf  =  U  n^nf 

n<  w 

since  ||y>n||^  =  The  terms  “order-continuous”  and  “continuous  from  be¬ 

low”  are  also  used  instead  of  w-chain-additive,  since  such  an  F  :  V{X)  ->  V{X) 
is  a  continuous  function  with  respect  to  the  Scott  topology  on  the  complete  par¬ 
tial  order  (V(X),C).  We  adapt  the  terminology  of  Jonsson  and  Tarski  [26]  on 
Boolean  algebras  with  operators,  since  we  are  interested  in  other  meanings  of 
“continuous” .  Dually,  when  <p^z  is  w -chain-multiplicative,  the  ordinal  of  conver¬ 
gence  for  lli/Z.^H^11  is  at  worst  and  the  sequence  of  approximation  formulas 
starts  at  tt  and  decreases. 

In  particular,  the  semantic  operator  corresponding  to  the  body  of  (h)^>  (or 
(h)^>),  as  defined  in  (5),  for  sentences  <p,  is: 

Since  the  3-pre-image  of  any  relation  is  completely  additive ,  i.e.  distributes  over 
arbitrary  unions,  it  follows  that  ||(h)y>||fln  is  the  union  of  the  denotations  of  the 
approximation  sequence 

ff,  (e)v’,  (e)vV(e){ c)(e)<p,  <e)y>  V  (e)(c)(e)p  V  <e)(c)(e)(c )(e)<p,  ... 

Dually,  the  semantic  operator  corresponding  to  [h]  is  completely  multiplicative. 

When  «  is  a  bisimulation  equivalence  on  971  -  that  is,  an  equivalence  relation 
on  X  which  respects  the  transition  relations  am  and  the  observation  sets 


in  a  suitable  sense3  -  then  the  fundamental  property  of  truth-preservation  is  as 
follows:  for  all  sentences  <p  G  S)  and  all  x,y  €  X, 

xKy  =»  [  x  €  IMI**  o  y  e  Ibll01  ]  (19) 

It  follows  that  if  «  is  a  bisimulation  equivalence  of  finite  index  N,  then  the 
denotation  of  each  sentence  is  a  finite  union  of  equivalence  classes  under 

Hence  for  sentences  pZ.ip  and  i 'Z.(p,  the  ordinal  of  convergence  for  H/iZ.^H*91 
and  is  bounded  by  N.  In  this  case,  the  finite  quotient  LTS  9 is  a 

finite  simulacrum,  and  finite  automaton  representation,  of  the  original  system 
fJJl.  If  such  is  the  case,  the  countable  //-algebra  Sjf1  is  in  fact  a  finite  algebra, 
and  the  atoms  of  the  algebra  are  the  equivalence  classes  under  The  familiar 
bisimulation  algorithm  ([19]  §3.1;  [27]  §2)  can  be  reinterpreted  algebraically  as 
the  construction  of  a  sequence  of  algebras  S^1  for  k  <  u>,  where 

Minr  i  ?€£*(*,£)} 

is  the  finite  Boolean  algebra  of  denotations  of  modal  sentences  of  modal  degree  < 
k .  The  modal  degree  measures  depth  of  nesting  of  modal  operators;  for  example, 
for  hybrid  trajectory  formulas  of  the  form  (3),  the  degree  is  2n  +  1,  where  n 
is  the  length  of  the  discrete  trace.  It  follows  that  is  the  smallest  Boolean 
algebra  generated  by  Sf1  U  {cr(asn)(A)  |  A  G  Sjf1}.  The  algorithm  terminates  at 
stage  k  +  1  if  5^44  =  S in  which  case  the  equivalence  relation: 

X  y  =  (Vj4  G  S^)[  X  G  A  y  G  A  ] 

is  a  finite  bisimulation  equivalence  whose  equivalence  classes  are  atoms  of  the 
algebra  5^,  and  S jf1  =  S f1. 


4  Adding  topological  and  metric  tolerance  structure 

Within  modal  logic,  there  is  a  well-known  way  of  representing  a  topology  T  on 
the  state  space  X  of  an  LTS  or  Kripke  model.  From  McKinsey  and  Tarski’s 
work  in  the  1940 ’s  ([31],  [32],  [36]),  the  axioms  for  the  box  □  modality  of  the 
modal  logic  S4  correspond  exactly  to  those  of  the  Kuratowski  axioms  for  the 
topological  interior  operator  infr,  and  dually,  the  S4  diamond  O  corresponds 
to  topological  closure  cl'p.  S4  is  a  well-studied  modal  logic,  and  is  of  particu¬ 
lar  interest  in  virtue  of  the  1933  Godel  translation  of  Intuitionistic  logic  into 
(classical)  S4.  The  relational  Kripke  semantics  for  S4  is  in  terms  of  pre-orders : 

3  The  concept  is  not  formally  defined  here.  An  analysis  of  the  concept  of  bisimulation 
is  given  in  [11].  See  also  the  handbook  article  [38]  §5.3,  where  it  is  noted  that  if  one 
wants  to  preserve  the  truth  of  sentences  containing  the  converse  operation,  then  the 
notion  of  bisimulation  must  be  strengthened  so  as  to  include  respect  for  the  converses 
of  the  a®1. 


reflexive  and  transitive  relations  I  x  X,  and  can  be  shown  to  be  a  special 
case  of  the  topological  semantics  via  Alexandroff  topologies ,  which  are  in  one-one 
correspondence  with  pre-orders  (see  [11]).  For  background  on  general  topology, 
see  [33],  [24]. 

Let  E)  denote  the  collection  of  formulas  defined  as  in  Definition  3 

with  an  additional  clause  for  a  plain  □  modality,  with  analogous  notation  for  the 
collection  of  sentences,  and  the  purely  modal  fragments.  The  diamond  is  defined 
by  the  usual  negation  (de  Morgan)  duality:  0<p  =  -«□  ->y>. 

Definition  7.  If  DJI  =  (X,T,  ,  (Ibll^pe#)  a  topologized  LTS  model 

then  the  additional  clauses  to  be  added  to  Definition  4  for  the  semantics  of  for¬ 
mulas  (p  £  □(#»-£)  are: 

IMf  -  intr  (iMlf )  and  lio^llf  =  clr  (iMlf ) 

In  the  enriched  language,  we  can  simply  express  topological  properties  of  sets 
of  states.  For  example,  a  set  ||p||£W  C  X  is,  respectively,  open,  closed ,  dense  or 
nowhere  dense  (empty  interior),  with  respect  to  T,  exactly  when  the  sentences 
p  — >  Hjp,  Op  — >  p ,  Op ,  or  0-*p  are  true  in  DJI.  The  topological  boundary 
of  ||^||“  is  denoted  by  the  sentence  Op  A  -»!Uy>  (and  boundary  sets  are  always 
nowhere  dense).  __ 

Note  that  if  X  C  Rn  is  first-order  definable  in  an  o-minimal  structure  R, 
T  is  the  subspace  topology  on  X  inherited  from  the  standard  metric  topology 
on  Rn  (derived  from  the  order  <  on  R),  and  A  C  X  is  definable,  then  intr{A) 
and  clr  (A)  are  also  definable  ([14],  Lemma  3.4).  Thus  if  the  components  of  a 
topologized  model  971  are  definable  in  R,  then  the  topological  modal  algebra 

=  {IMI8* 1  v  €  <$□(#,  £)} 

of  denotations  of  modal  sentences  including  □  is  also  definable.  From  the  perspec¬ 
tive  of  o-minimality,  observe  that  the  cells  of  a  cell  decomposition  of  a  definable 
X  C  Rn  are  either  open  in  Rn,  or  else  are  boundary  sets  ([14],  Proposition  2.5) 
-  properties  expressible  in  the  enriched  modal  language. 

Note  that  if  we  want  a  bisimulation  to  be  truth-preserving  with  respect  to 
sentences  p  £  (#,£),  then  it  must  also  respect  the  topology  T.  For  equiv¬ 

alence  relations  «,  this  amounts  to  the  requirement  that  for  each  equivalence 
class  B  under  «,  the  closure  clr{B)  must  be  a  union  of  equivalence  classes,  thus 
either  intr{B)  =  B  or  intr{B)  =  0;  in  brief,  the  equivalence  classes  B  are 
“cell-like” . 

OK,  so  we’ve  formally  got  topologies  in  the  picture,  so  we  should  be  able  to 
express  some  notion  of  continuity .  A  sticking  point  is  that  the  standard  notion  of 
continuity  is  for  functions ,  not  relations.  In  purely  topological  terms,  a  function 
f  :  (X,  T)  (Y,  S)  is  continuous  iff  for  every  open  set  U  in  Y,  the  inverse-image 
f~l(U)  is  open  in  X .  The  relevant  notions  for  relations  r  :  (X,  T)  (Y,S) 
were  introduced  by  Kuratowski  and  Bouligand  in  the  1930’s,  and  replace  the 
functional  inverse-image  with  the  relational  V-  and  3-pre-image  operators. 


Definition  8.  ([6]  §1.4;  [l]4  Ch.  7;  [24]  §18.)  A  relation  r  :  (X,T)  (Y,S)  is: 


-  upper  semi-continuous  (u.s.c.)  iff  for  every  open  set  U  in  Y ,  the  ^-pre-image 
r(r)(U)  is  open  in  X; 

-  lower  semi-continuous  (l.s.c.)  iff  for  every  open  set  U  in  Y,  the  3-pre-image 
<r(r)(U)  is  open  in  X; 

-  continuous  iff  it  is  both  u.s.c .  and  l.s.c.. 

When  r  :  (X,  T)  (Y,  S)  is  in  fact  a  (single- valued)  function,  each  of  the 
semi-continuity  properties  is  equivalent  to  functional  continuity,  since  in  that 
case,  the  two  relational  pre-image  operators  collapse  to  the  familiar  inverse- 
image  operator:  cr(r)  =  r(r)  =  r"1 2 3.  Logics  of  continuous  functions  are  developed 
in  [10]. 

The  two  semi-continuity  properties  are  simply  expressible  in  the  language  of 
the  topological  /i-calculus  by  the  formulas  (sentence  schemes): 

[a)UZ  U[a]Z  and  (a)OZ  D(a)Z  (20) 

In  dual  form,  upper  semi-continuity  can  be  read  as  preservation  of  closed  sets 
by  the  familiar  3-pre-image  <7(r)  =  Pre(r): 

Q{a)Z  — y  (a)QZ 

From  these  simple  characterizations  of  the  semi-continuity  properties,  it  follows 
purely  formally  that  each  of  the  properties  is  inherited  under  finite  relational 
compositions  and  finite  relational  unions  (sums) .  Inheritance  of  continuity  prop¬ 
erties  under  infinitary  fixed-point  quantification  is  a  topic  of  continuing  investi¬ 
gation. 

So  far,  the  discussion  of  continuity  is  still  rather  formal,  and  a  tad  insubstan¬ 
tial.  But  in  the  case  of  compact  metric  spaces ,  we  get  to  see  some  meat  on  the 
bones. 

Proposition  1.  ([1]  Ch.7,  Proposition  11)  For  relations  r  :  X  Y  where  X 
andY  are  compact  metric  spaces  and  the  direct  image  r(x)  C  Y  for  each  x  €  X 
is  closed,  the  following  are  equivalent: 

1 .  r  is  u.s.c. ; 

2.  for  all  x  £  X  and  all  e  >  0,  there  is  a  S  >  0  such  that  for  all  x'  €  X  and 
y'eY, 

dx{x,x*)<8  and  x'  -A-  y‘  =>  (3y  E  Y)[  x  —y  y  and  dy(y)t//)<e] 

3.  as  a  subset  of  X  xY,  (the  graph  of)  r  is  closed; 

4  Note  that  in  [6],  [7],  Aubin  uses  the  terms  “core”  and  “inverse-image”  instead  of 
universal  and  existential  pre-image,  while  in  [1],  Akin  uses  but  has  neither  names 
nor  notation  for  the  pre-image  operators. 


4 -  r:Y^Xis  u.s.c . 


The  following  are  also  equivalent: 

L  r  is  l.s.c.; 

2 .  for  all  x  £  X  and  all  e  >  0,  there  is  a  S  >  0  such  that  for  all  x/  E  X  and 
yeY, 

dx(x,x')  <  S  and  x  y  (3 y*  E  F)[  x‘  y'  and  dy(y,  y')  <  €  ] 


✓ 


The  metric  u.s.c.  property  says  that  if  an  input  x '  is  within  S  of  x,  then  every 
point  j/  in  the  output  or  image  r(x')  is  contained  within  an  e  “ball”  or  “tube” 
around  r(x).  For  the  orbit  relation  /  :  X  X  of  a  semi-flow  <f>  :  X  x  M+  — >•  X 
(defined  in  (11)),  where  f(x)  =  (<£(x,t)  1 1  E  M+}  is  the  positive  trajectory  from 
x,  the  picture  really  is  that  of  an  e-tube:  if  dx{x,xf)  <  S  then  the  trajectory 
f(x ')  lies  inside  an  e-tube  around  the  trajectory  f(x)>  as  illustrated  in  Figure 
4.  The  idea  is  certainly  reminiscent  of  the  “tube  neighborhoods”  in  the  work  of 
Gupta,  Henzinger  and  Jagadeesan  [17]  on  robust  timed  automata ;  the  interest 
in  that  paper  is  on  metrics  on  trajectories  r  E  (#  x  M>0)*,  where  $  is  a  finite 
alphabet  of  event  names. 

When  X  is  a  compact  metric  space,  <f>  :  X  x  M+  X  is  a  continuous  semi¬ 
flow,  and  T  C  M+  is  compact,  the  restricted  orbit  relation  :  X  — ►  X  given  by 
/*»  =  {<f>(x,t)  1 1  E  T}  has  a  closed  graph  and  hence  is  u.s.c.  ([1],  Ch.  6).  This 
leads  to  the  following  result  on  continuity  properties  of  both  sort  of  transition 
relations  in  an  LTS  model  of  a  hybrid  automaton. 

Proposition  2.  Let  be  the  LTS  model  of  a  hybrid  automaton ,  as  in  Defini¬ 
tion  2 .  Assume  that  each  Xq  C  Mn  is  compact  in  the  standard  topology  on  Mn.  Let 
Tq  be  the  subspace  topology  on  Xq ,  and  assume  the  semi-flow  <j)q  :  Xq  xl+  Xq 
is  continuous . 

1.  lflnvq  is  closed  in  Tq,  and  time-bounded  under  <f>q,  in  the  sense  that  there 
is  atq>  0  such  that  for  all  x  E  Invq  and  all  t  >  tq,  <j)q(x ,  t)  ^  Invq, 
then  the  relation  eq  :  Xq  ^  Xq  defined  by  eq  =  fq  H  ( Invq  x  Invq )  is  u.s.c.. 


2.  If  Grdqtqf  C  Xq  and  Invq*  C  Xq/  are  both  closed ,  in  Tq  and  Tq»  respectively, 

and  the  graph  ofrqiqt  :  Xq  Xq>  is  closed, 

then  the  relation  cqiq»  :  Xq  ^  Xq/  defined  by  cg>g/  =  rqtq/  H  ( Grdq>q>  x  Invqt) 

is  u.s.c.. 

The  point  is  that  the  u.s.c.  property  is  sufficiently  attractive  that  we  may 
wish  it  to  be  the  case  that  all  our  transition  relations  possess  it.  From  our 
observations  above,  all  finite  compositions  and  unions  of  the  eq  and  cqA»  will  be 
u.s.c.  if  the  tq  and  cq^q »  are  u.s.c..  Note  also  that  for  the  constant  jump  relations 
cqtq'  =  Grdqtq>  x  Rstqrf  of  [27],  cqrf  is  u.s.c.  when  both  Grdqjqt  and  Rstqtqi  are 
closed. 

When  the  relations  eq  :  Xq  Xq  and  cqA>  :  Xq  Xq>  are  lifted  to  relations 
X  X,  the  issue  arises  as  to  what  is  the  appropriate  topology  on  the  hybrid 
state  space  ICQxl”?  Taking  the  Xq  equipped  with  their  standard  topology 
fromM”,  the  question  then  becomes:  what  topology  Tq  on  the  finite  discrete  state 
space  Q?  One  reasonable  choice  is  that  Q  really  is  discrete  and  has  no  topological 
structure,  which  amounts  to  taking  Tq  to  be  the  discrete  topology.  Then  the 
lifted  relations  will  be  u.s.c.  or  l.s.c.  whenever  their  unlifted  counterparts  are. 
An  alternative  reasonable  choice  is  to  consider  Q  as  structured  by  the  control 
graph  GCQxQ,so  take  Tq  =  Tg  to  be  the  (Alexandroff)  topology  determined 
by  the  reflexive- transitive  closure  =^g  of  G.  The  open  (closed)  sets  in  Tg  are 
those  P  C  Q  that  are  up-  (down-)  invariant  under  ^ q ;  the  clopen  sets  in  Tg 
are  cycles  under  G.  The  inherited  topology  on  X  CQ  x  Rn,  and  the  continuity 
properties,  are  more  complicated,  and  under  current  investigation. 

Metric  structure  on  the  state  space  of  an  LTS  model  can  be  used  to  define 
explicit  metric  tolerance  relations  that  allow  us  to  express  such  properties  as 
being  within  e  of  a  set ,  for  a  particular  e  >  0.  Again,  the  resources  of  modal  logic 
come  into  play.  For  X  a  metric  space  and  e  >  0,  define  a  relation  of  e-tolerance 
or  e-indiscemability  (e)  :  X  X  by: 

x  (e)  x*  iff  dx(x,xf)<e  (21) 

Such  a  relation  is  reflexive  and  symmetric ,  but  not  transitive.  My  source  for  the 
notion  of  a  tolerance  relation  is  Smyth’s  [37].  A  motivating  idea  in  that  paper, 
which  is  traced  back  to  Poincare’s  The  Value  of  Science  1905)  and  independently, 
to  the  topologist  Zeeman  in  the  early  1960’s,  is  that  perceptual  or  physical  con- 
tinua,  as  opposed  to  the  idealized  continua  of  classical  mathematics,  are  of  finite 
or  countable  cardinality  and  are  structured  by  a  relation  of  indiscernability  that 
is  reflexive  and  symmetric,  but  not  transitive.  In  [1]  Ch.l,  the  relation  (e)  goes 
by  the  name  V€. 

Formally,  we  extend  the  alphabet  X  of  transition  labels  with  a  new  symbol  e. 
Interpreting  the  new  modalities  (e)  and  [e]  in  the  standard  way  by  the  pre-image 
operators  <r(e)  and  r(e),  the  sentence  {e)(p  denotes  the  e-ball  around  or 

the  e-closure  of  ||v?||OT  -  that  is,  the  set  of  states  within  e  of  some  point  in  ||v?||Sn, 
while  [e]cp  denotes  the  e-interior  of  ||^||JW  -  that  is,  the  set  of  states  all  of  whose 


e-neighbors  are  in  \\<p\\m  .  The  modalities  for  symmetric  and  reflexive  relations 
are  axiomatized  by  the  modal  logic  KTB;  see  [9]  §4.3. 

The  combination  of  topological  and  tolerance  structure  opens  up  new  possi¬ 
bilities.  For  example  ([1]  Ch.l,  Corollary  2),  if  am  :  X  ^  X  is  u.s.c.  in  a  compact 
metric  space  X ,  then  for  each  closed  set  ||y>||sn  Q  X,  and  each  e  >  0,  there  is  a 
S  >  0  such  that  the  sentence 


(S)(a)<p  -*  (a)(e)<p 


(22) 


is  true  in  971. 

Metric  tolerance  structure  can  be  used  to  define  “imperfect  precision”  hybrid 
trajectories.  In  the  LTS  model  of  a  hybrid  automaton  H,  suppose  that  on 
each  projection  Xq  C  Mn,  we  have  a  metric  tolerance  (<i9)  :  Xq  ^  Xq  for 
some  given  Sq  >  0.  Then  instead  of  considering  “perfect  precision”  trajectories 
formed  from  the  simple  alternation  of  constrained  evolution  and  controlled  jump 
relations,  as  in  (3),  we  might  want  to  consider  transition  sequences: 

eqo  *  &qa  '  cqo,qi  *  eqi  '  ^ qi  *  cgi,g2  *  eg2 . eqk- 1  *  ^ qk-i  ’  cgfc-i,g*  *  eqk  (23) 

Operationally,  this  can  be  construed  as  allowing  metric  “gaps”  of  up  to  size 
Sq  between  the  decision  to  make  a  controlled  switch  c9)g/,  and  the  point  at 
which  such  a  switch  actually  occurs.  Defining  (8)  :  X  ^  X  to  be  the  union  of 
each  of  the  lifted  relations  the  dynamics  of  the  class  of  all  “^-imperfect” 
hybrid  trajectories  with  finite  discrete  traces  are  captured  by  the  dual  fixed-point 
modalities 

(hj)^  ^  fiZ.  {e)<pV  (e)(S)(c)Z  and  [h s]<P  —  vZ.  [e](p  A[e][8][c]Z  (24) 

Alternatively,  one  could  “relax”  the  definition  of  the  constrained  evolution  rela¬ 
tion,  and  take 


(eq)Z  (Sq) lnvq  A  (f q){Z  A  lnvq) 

that  is,  cg  =  /qfl  (Invq  x  <r(Sq)Invq),  where  the  revised  convexity  property  is: 
(fg)InVg  A  (fg)(<Jg)lnVg  (£g)IllVg 

which  says:  curves  along  <j>q  that  start  in  Invq  and  end  in  <r(8q)Invq  lie  inside 
a(8q)Invq . 


5  Deductive  Proof  Systems 

We  present  simple  Hilbert-style  axiomatic  proof  systems  for  the  logics  of  interest. 
The  axiomatizations  are  not  intended  to  be  minimal;  rather,  they  are  meant  to 


serve  as  a  useful  reference  list.  In  particular,  we  give  the  axioms  and  rules  for 
both  of  the  dual  diamond  and  box  modalities.  Kozen’s  axiomatization  [23] 
forms  the  foundation,  with  extensions  developed  in  a  modular  fashion.  So  far,  we 
have  identified  S4  for  topological  and  relational  pre-order  modalities,  and  KTB 
for  tolerance  relations.  A  further  candidate  is  S5,  the  modal  logic  of  equivalence 
relations:  we  can  give  modal  representation  to  any  partition  of  the  state  space 
of  our  choosing;  bisimulation  equivalences  spring  to  mind.  S5  is  also  the  base  of 
logics  of  knowledge  [16]:  the  knowledge  of  an  agent  is  modeled  by  the  equivalence 
relation  of  indistinguishability  relative  to  its  knowledge  base. 

Equivalent  Gentzen  sequent-style  proof  systems  for  the  //-calculus  are  pre¬ 
sented  in  [5],  [8],  and  also  in  [40]. 

Definition  9.  The  Hilbert-style  proof  system  for  the  logic  has  the  following 
axioms:  for  transition  labels  a  E  £,  propositional  variables  Z,W  E  PVar,  and 
formulas  <p  E  £), 

CP:  axioms  of  classical  propositional  logic 


V-(a)  :  ( a)(Z  VlV)o  « a)Z  V  {a)W) 

ff-(a)  :  <a)ff  ff 

A -[a] :  [a](Z  A  W)  f*  {[a]Z  A  [a]W) 

tt-[a]  :  [a]tt  ++  tt 

P-f-P-  ■  <fi[Z  :=  pZ.ip)  -►  (iZ.<p 

u-f.p. :  i/Z.ip  — >  <p[Z  :=  i/Z.<p] 

and  the  inference  rules,  for  formulas  E  TJ): 

modus  ponens: 

<p,  <p->  'P 
* 

substitution : 

<p 

<p[Z  :=  i>] 

(a) -monotonicity: 

(a)<p  -»  {a)if> 

[a]-monotonicity: 

<p  Ip 

[a]<p  ->  [a]ip 

p-least-f.p.: 

<p[Z  :=  rp\  -¥  $ 
fxZ.<p  ->  ip 

v -greatest- fp.: 

ip  Ip[z  :=  ip] 

rjs  -4  vZ.p 

Hoare  composition:  - 

*P  ->  {a)x  X^-(t>)<P 

rp  -)■  {a)(b)<p 

Hoare  composition: 

'P  ->  [a]x  X  -»  [b]<p 

i>  -*■ 

We  write:  h  <p  for  formulas  <p  E  ^(^  if  there  is  a  proof  of  <p  in  L^. 

The  axioms  and  monotonicity  rules  for  (a)  and  [a]  together  assert  they  are 
normal  diamond  (possibility)  and  box  (necessity)  modalities  ([9]  Ch.  4);  they 
are  equivalent  to  system  K  (for  Kripke),  the  logic  of  generic  binary  relations. 
In  the  language  of  [26],  (a)  denotes  a  normal  and  finitely  additive  operator  on  a 
Boolean  algebra.  The  Hoare  composition  rules  follow  readily  from  monotonicity. 
As  always,  we  assume  substitutions  <p[Z  :=  rp]  are  legitimate  ones;  i.e.  no  capture 
of  free  variables. 

The  axioms  and  rules  for  the  fixed-point  quantifiers  assert  what  they  ought: 
that  pZ.<p  {vZ.<p)  is  the  least  (greatest)  fixed  point  of  the  operator  defined  by 
V - 

Each  of  the  rules  is  readily  verified  to  be  truth-preserving ,  in  the  sense  that 
for  any  LTS  model  971,  if  the  hypotheses  of  a  rule  is  true  in  97t  then  the  conclusion 
is  true  in  DJI,  From  the  verification  that  the  each  of  the  axioms  is  true  in  every 
LTS  model,  we  then  get  soundness:  if  L^\-  <p  then  9JU=  for  all  LTS  models 
DJI  of  signature  (#,  E). 

Definition  10.  The  Hilhert-style  proof  system  for  the  logic  +  S4  in  the  lan¬ 
guage  E)  is  obtained  from  that  of  by  adding  the  normality  axioms 

and  rules  for  O  and  □,  together  with:  for  propositional  variables  Z  E  PVar, 

TO  :  Z  -4  OZ  TO:  OZ-yZ 

40  i  OOZ  — y  OZ  40  :  OZ  — y  OOZ 

The  proof  system  for  the  logic  -J-  S4  +Ca  is  that  of  +  S4  together  with 
Car  where  Ca  is  one  or  more  of  the  semi- continuity  axiom  schemes: 

usc(a)  :  0(a)Z  -4  (a)OZ  usc[a]  :  [a]OZ  -4  0[a]Z 

1sc(g)  :  (afiOZ  — ^  0(ol)Z  lsc[a]  :  0[cz]i£  — y  [a]0^ 

In  the  relational  (preorder)  semantics  for  S4,  the  T  axioms  correspond  to 
reflexivity,  while  the  4  axioms  correspond  to  transitivity.  Extensions  of  the  Hoare 
composition  rules: 

rp  -»  [apy  X  -»  [fr]CV  .  ^  -»  (a)Dy  X  -»  (&)Dy> 

xp  -4  [a]  [£>]□<£>  xp  -4  ( a)(b)0(p 

can  be  derived  in  the  systems  +  S4  +  usc[a]  -f  usc[b]  and  Xp  +  S4  +  lsc(a)  + 
lsc(b)  respectively. 

Definition  11.  The  Hilbert-style  proof  system  for  the  logic  +  KTB  in  the 
language  T^,E\J  {e})  is  obtained  from  that  of  by  adding  the  normality 
axioms  and  rules  for  (e)  and  [e];  the  axioms  T(e)  and  T[e];  and  also: 

B(e)  :  {e)[e]Z  -4  Z  B[c]  :  Z  ->  [e](e)Z 

The  B  axioms  express  that  tolerance  relations  (e)  are  symmetric. 


Definition  12.  The  Hilbert-style  proof  system  for  the  logic  -{-  S5  in  the  lan¬ 
guage  IAJ{«})  15  obtained  from  that  of  by  adding  the  normality  axioms 

and  rules  for  («}  and  [«];  the  axioms  T{«),  T[«],  4(«)  and  4[«];  and  also: 

5<«>  :  <»)[«]Z-»[»]Z  5[»]:  («)Z  -►  [«]<») Z 

The  5  axioms  express  that  «  is  a  Euclidean  relation:  if  x  «  y  and  x  ^  z 
then  y  «  z.  And  reflexive,  transitive  and  Euclidean  binary  relations  are  exactly 
equivalence  relations.  Under  the  knowledge  interpretation  of  S5,  the  axiom  5[«] 
is  usually  referred  to  as  the  axiom  of  negative  introspection:  ->[«]¥>  -* 
which  reads:  "if  it  is  not  the  case  that  agent  A  knows  (p,  then  agent  A  knows 
that  it  is  not  the  case  that  she  knows  <p” . 

Walukiewicz  has  recently  established  the  completeness  of  the  Kozen  axioma- 
tization  with  respect  to  the  standard  set-theoretic  semantics  for  the  /i-calculus. 

Theorem  1.  ([39], [40])  Soundness  and  Completeness  of  (set-theoretic  se¬ 
mantics) 

For  all  formulas  <p  G  E), 

h  <p  iff  <p  for  all  LTS  models  971  of  signature  (#,  E). 

The  completeness  part  of  the  cited  theorem  is  stated  in  the  form:  if  <p  is 
unsatisfiable  in  every  LTS  model  971,  i.e.  ||v?||^1  =  0  for  all  assignments  £  in  V(X) , 
then  -up  is  provable  in  L^.Walukiewicz’s  proof  is  very  intricate,  proceeding  by 
first  contracting  to  a  subclass  of  "nice”  formulas,  and  then  producing  a  “tableaux 
refutation”  of  unsatisfiable  formulas  of  nice  form,  where  such  a  refutation  in 
turn  implies  that  the  negation  of  the  given  formula  is  provable  in  .  Topics 
of  continuing  enquiry  include  whether  the  Walukiewicz  proof  can  be  extended 
to  cover  specific  modal  enrichments  of  L^,  and  the  relationship  between  his 
tableaux  refutation  system  and  a  tableaux  proof  system  for  the  //-calculus  and 
polymodal  extensions,  in  the  style  of  [35]  and  [10]. 

The  algebraic  semantics  of  Kwiatkowska  et  al.  [5],  [8],  provide  a  framework 
for  extending  Stone  duality  theory  to  the  algebra  of  fixed-points.  Their  proof 
of  completeness  for  modal  //-frames  starts  with  the  Lindenbaum  algebra 
of  formulas  in  F^(^,E)  modulo  provable  equivalence  in  L^,  then  realizes  the 
abstract  //-algebra  as  a  canonical  LTS  model  971^  with  state  space  the  Stone 
space  X  =  Ult(T j,*)  of  (Boolean)  ultrafilters  in  ,  together  with  the  canonical 
//-algebra  A l„  =  Clop(Ult(F l„))  =  of  subsets  of  X  clopen  in  the  Stone 
topology.  For  each  a  G  i 7,  and  97t  =  97tL„ ,  the  relations  am  on  X  are  defined  by: 

an  _ 

x  y  iff  (Vp  G  ^lm)[  [a](p  £  x  =>^Gy].  The  formal  statement  of  the  result 
is  as  follows. 

Theorem  2.  ([5])  Soundness  and  Completeness  of  (algebraic  semantics) 

For  all  formulas  (p  G  -?>(#,  E), 

iff  (971,-4)  *=  < p  for  all  modal  p-frames  (971,^4)  of  signature  (#,  E). 


In  [8]  §6,  it  is  established  if  (DJI,  A)  is  a  descriptive  modal  //-frame,  then 
{DJI,  A)  is  in  semantic  agreement  with  DJI.  In  particular,  the  canonical  frame 
is  descriptive,  and  thus  in  semantic  agreement  with  the  underlying 
LTS  model  9JIl„  .  Thus  the  “easy”  algebraic  proof  of  completeness  can  be  used 
to  give  an  alternative  proof  of  completeness  of  with  respect  to  the  standard 
set-theoretic  semantics,  as  stated  in  Theorem  1. 

The  Kwiatkowska  algebraic  completeness  proof  extends  quite  smoothly  to 
normal  polymodal  extensions  of  the  //-calculus,  including  topological  S4  exten¬ 
sions  with  semi-continuity  axioms.  For  example,  if  L  =  +  S4  +  {usc[a]  4* 

lsc(a)}a€r,  the  topology  on  the  canonical  model  DJIl  comes  from  a  relation 
on  X  =  Ult{Ph)  defined  in  the  same  way  as  the  relations  am L  as  above.  The 
S4  axioms  ensure  that  the  relation  is  a  preorder,  so  the  topology  is  Alexan- 
droff,  and  from  the  semi- continuity  axiom  schemes,  one  proves  that  each  of  the 
relations  am L  have  the  corresponding  semi-continuity  property.  A  more  detailed 
treatment  is  given  in  [12]. 


6  Discussion 

We  have  developed  a  family  of  expressively  rich  and  usable  logical  systems  and 
broadened  horizons  for  the  formal  analysis  of  hybrid  dynamical  systems.  In  addi¬ 
tion  to  those  mentioned  in  the  text,  further  lines  of  enquiry  include  the  following. 

—  Investigation  of  non- deterministic  continuous  dynamics,  in  the  form  of  set¬ 
valued  or  parametrized  semi-flows,  and  their  topological  properties.  Our 
relation-based  view  of  dynamics  is  of  course  conducive  to  such  generaliza¬ 
tions. 

—  A  deeper  investigation  of  relations  (definable  families)  in  o-minimal  struc¬ 
tures,  and  of  the  use  of  finite  cell-decomposition  in  the  construction  of  topo¬ 
logical  bisimulations. 

—  Further  investigation  of  finite  sub-topologies  of  the  standard  topology  on 
X  C  Rn,  and  semi-continuity  properties  of  relations  in  such  topologies,  pur¬ 
suing  themes  developed  in  [11], 

—  Application  to  hybrid  systems  of  the  theory  of  knowledge  in  multi- agent 
settings  and  its  formalization  in  S5  based  logics  of  knowledge. 

—  LTS  models  and  //-calculus  specifications  of  hybrid  petri  nets.  One  approach 
is  to  take  the  state  space  X  to  be  a  set  of  finite  partial  functions  x  :  P  ^  R 
(equivalently,  variable-length  vectors  over  R),  where  P  is  the  finite  set  of 
places  of  the  net. 

—  Application  of  game-theoretic  methods  for  the  //-calculus,  and  related  work 
on  automata  over  transition  systems;  e.g.  [25],  [22]. 

—  Investigation  of  tableaux  proof  systems  for  polymodal  logics  and  the  //- 
calculus,  in  the  style  of  [35]  and  [10], 

—  Investigation  of  Intuitionistic  (constructive)  logics  for  hybrid  systems,  using 
topological  semantics  and  S4  as  a  bridge  between  the  classical  and  construc¬ 
tive  worlds. 
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